This topic shows you how to authenticate users in Azure Mobile Services from your universal Windows app. In this tutorial, you add authentication to the quickstart project using an identity provider that is supported by Mobile Services. After being successfully authenticated and authorized by Mobile Services, the user ID value is displayed.

This tutorial walks you through these basic steps to enable authentication in your app:

This tutorial demonstrates the authentication flow managed by Mobile Services using a variety of identity providers. This method is easy to configure and supports multiple providers. To instead use Live Connect with client-managed authentication and provide a single sign-on experience in your Windows Phone app, see the topic Single sign-on for Windows Store apps by using Live Connect. By using client-managed authentication, your app has access to additional user data maintained by the identity provider. You can get the same user data in your mobile service by by calling the user.getIdentities() function in server scripts. For more information, see this post.

Register your app for authentication and configure Mobile Services

To authenticate users, register your app with an identity provider, and then register the provider-generated client credentials with Azure Mobile Services.

Log on to the Azure Management Portal, click Mobile Services, and then click your mobile service.

Click the Dashboard tab and note the Mobile Service URL value. You may need to provide this value to the identity provider when you register your app.

Choose a supported identity provider from the list below. Follow the steps to register your app with that provider. Remember to make a note of the client identity and secret values generated by the provider.

IMPORTANT:

The provider-generated secret is an important security credential. Do not share this secret with anyone or distribute it with your app.

Back in the Management Portal, click the Identity tab, enter the app identifier and shared secret values obtained from your identity provider, and click Save. Both your mobile service and your app are now configured to work with your chosen authentication provider.

IMPORTANT:

Verify that you've set the correct redirect URI on your identity provider's developer site. As described in the linked instructions for each provider above, the redirect URI may be different for a .NET backend service vs. for a JavaScript backend service. An incorrectly configured redirect URI may result in the login screen not being displayed properly and the app malfunctioning in unexpected ways.

Note that this step is optional because it only applies to the Microsoft Account login provider. When you register your Windows Store app package information with Mobile Services, the client is able to re-use Microsoft Account login credentials for a single sign-on experience. If you do not do this, your Microsoft Account login users will be presented with a login prompt every time that the login method is called. Complete this step when you plan to use the Microsoft Account identity provider.

Restrict permissions to authenticated users

In the Management Portal, click the Data tab, and then click the TodoItem table.

Click the Permissions tab, set all permissions to Only authenticated users, and then click Save. This ensures that all operations against the TodoItem table require an authenticated user.

In Visual Studio, right-click the Windows Store project for the TodoList app and click Set as StartUp Project.

In the shared project, open the App.xaml.cs project file, locate the definition for the MobileServiceClient, and make sure that it is configured to connect to the mobile service running in Azure.

Note that When you use Visual Studio tools to connect your app to a Mobile Service, the tool generate two sets of MobileServiceClient definitions, one for each client platform. This is a good time to simplify the generated code by unifying the #if...#endif wrapped MobileServiceClient definitions into a single unwrapped definition used by both versions of the app. You won't need to do this when you downloaded the quickstart app from the Azure Management portal.

Press the F5 key to run the Windows store app, and verify that an unhandled exception with a status code of 401 (Unauthorized) is raised after the app starts.

This happens because the app attempts to access Mobile Services as an unauthenticated user, but the TodoItem table now requires authentication.

Next, you will update the app to authenticate users before requesting resources from the mobile service.

Add authentication to the app

Open the shared project file MainPage.cs and add the following using statement:

This user is authenticated by using a Facebook login. If you are using an identity provider other than Facebook, change the value of MobileServiceAuthenticationProvider above to the value for your provider.

Comment-out or delete the call to the RefreshTodoItems method in the existing OnNavigatedTo method override.

This prevents the data from being loaded before the user is authenticated.

NOTE:

To successfully authenticate from a Windows Phone Store 8.1 app, you must call LoginAsync after the OnNavigated method has been called and after the page's Loaded event has been raised. In this tutorial, this is done by adding a Sign in button to the app.

If the OnActivated method already exists, just add the #if...#endif code block.

Press the F5 key to run the Windows Store app, click the Sign in button, and sign into the app with your chosen identity provider.

When you are successfully logged-in, the app should run without errors, and you should be able to query Mobile Services and make updates to data.

Right-click the Windows Phone Store app project, click Set as StartUp Project, then repeat the previous step to verify that the Windows Phone Store app also runs correctly.

Store the authorization token on the client

The previous example showed a standard sign-in, which requires the client to contact both the identity provider and the mobile service every time that the app starts. Not only is this method inefficient, you can run into usage-relates issues should many customers try to start you app at the same time. A better approach is to cache the authorization token returned by Mobile Services and try to use this first before using a provider-based sign-in.

NOTE:

You can cache the token issued by Mobile Services regardless of whether you are using client-managed or service-managed authentication. This tutorial uses service-managed authentication.

In the MainPage.xaml.cs project file, add the following using statements:

In this version of AuthenticateAsync, the app tries to use credentials stored in the PasswordVault to access the mobile service. A simple query is sent to verify that the stored token is not expired. When a 401 is returned, a regular provider-based sign-in is attempted. A regular sign-in is also performed when there is no stored credential.